Version 2 (modified by 12 years ago) (diff) | ,
---|
AD Group Management
The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals.
Theory
LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match.
Usage
- create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net )
- add users to the groups
- goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with Subject: @staff Permission: WIKI_EDIT
NOTE: groups will NOT show up per user until they're defined from the Permissions page.
Validation
To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use
me@here > sudo trac-admin /var/trac/mytrac permission list {user}
Configuration
Any groups found under the base_dn will be expanded into the name space
- each group will have the name normalized by changing it to lower case, and changing spaces to underscores
- the group name will be prefixed by an @ sign
cn=Domain Users,cn=Users,dc=ad,dc=com
== @domain_users
Example Configurations
For example:
@domain_users BLOG_CREATE @domain_users BLOG_MODIFY_ALL @domain_users BLOG_MODIFY_OWN @domain_users BROWSER_VIEW @domain_users DISCUSSION_APPEND @domain_users MYPAGE_VIEW @domain_users PRIVATE_EDIT_ATOL_SECURE @domain_users PRIVATE_VIEW_ATOL_SECURE @domain_users REPORT_SQL_VIEW @domain_users RES_RESERVE_MODIFY @domain_users RES_RESERVE_VIEW @domain_users RIPE_EDIT @domain_users TICKET_ADMIN @domain_users TSTATS_VIEW @domain_users WIKI_CREATE @domain_users WIKI_RENAME @domain_users XML_RPC @branch_admins PRIVATE_VIEW_BRANCH_SECURE @ops PRIVATE_EDIT_OPS_SECURE @ops XML_RPC @sysops DISCUSSION_ADMIN @sysops RIPE_ADMIN @sysops TICKET_EDIT_CC @sysops WIKI_DELETE @trac_admin TRAC_ADMIN ...
- This gives the @domain_users group from AD a specific set of perms
- the @branch_admins are using the PrivateWiki plugin to hide their passwords
- as are the @ops group
- @sysops are god like.
- @trac_admins are .. well well trac_admins ;-)